As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
The main principles of the ACPO Good Practice Guide for Computer Based Electronic Evidence
- No action must be taken that will change data held on a digital device that could later be relied on as evidence in Court.
- If it’s necessary to access original data held on a digital device, you must be both competent to do so and able to explain your actions, as well as explain the impact of them on any digital evidence used in a Court.
- A trail or record of all the actions taken and applied to the digital evidence must be created and kept safely and securely. If an independent third party forensic expert examines the processes they should be able to come to the exact same conclusion.
- The person in charge of the investigation has the overall responsibility of making sure these principles are followed.
About the ACPO Guidelines For Computer Based Evidence
As you might expect, computer based electronic evidence have to abide by the same rules and expectations as any other evidence provided to a Court. The onus is on the prosecution to prove the evidence given by them is no more and no less than it was when it was first taken into possession by the police at the point when it was seized.
Computer and mobile phone operating systems and other programs often change, for example creating and deleting files from a device without the user being aware. It can happen when you turn on a computer, tablet or mobile phone. Compliance with the ACPO principles of computer based evidence involves, wherever possible, taking a full bit copy image of the device’s memory. If the sheer amount of data means it’s impossible to take a full copy, we can make a ‘partial or selected’ copy. As the official forensic examiner, we have to take great care to make sure all the evidence is captured properly.
The ACPO guidelines for digital based evidence also say that data must be acquired using a suitable write blocking hardware unit. This isn’t always possible, for example when the original digital device itself requires access. In this case the person carrying out the process – us – must be competent to provide evidence in Court and be able to clearly explain our actions.
When giving evidence in Court we must be objective and fair. We have to be able to support each process we’ve completed with digital evidence, including acquiring and examining data in a way that means third party digital examiners can repeat the exact same process if needs be, and arrive at the same result as the one presented in Court.
Any questions?
We’re always delighted to explain ACPO’s stance if you want us to. As you’d expect, we are fully competent to do so. We can also help with anything to do with Cyber Essentials certification and cyber essentials plus.